Email enumeration via sending a magic sign in link functionality in healthchecks/healthchecks

Valid

Reported on

Jan 20th 2023


Description

The sending a magic sign in link functionality is vulnerable to an email enumeration attack.

Proof of Concept

If you enter registered email, you will get Login Link Sent! message.

If you enter non-registered email, you will get Unknown email address. message.

Impact

Email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.

We are processing your report and will contact the healthchecks team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the healthchecks team and are waiting to hear back a year ago
healthchecks/healthchecks maintainer validated this vulnerability a year ago

Hello bAu, thank you for the report!

Looking into it, the same issue also exists at the registration form–it returns either "Account created, please check your email!" or "An account with this email address already exists.".

It's unfortunate usability and security is at conflict here. Users sometimes confuse the login and the signup forms, and then it is helpful to tell them something along the lines of "an account with this address does not exist, did you mean to sign up?"

The changes I'm planning to make:

  • in both login and signup forms, always return a "Please check your email account for the provided address!" (or similar) message.
  • add rate limiting by client IP for the login action (the signup action already has rate limiting)

Thanks, Pēteris

bauh0lz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
bAu
a year ago

Researcher


@maintainer The changes look good :)

Pēteris Caune marked this as fixed in v2.6 with commit 359edb a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation